function readOnly(count){ }
Sign Up ›
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
Learn More

Browse by Topic
ShowAll Questionssorted byDate Posted
+ Start a Discussion
OpenStreetMapOpenStreetMap 

Salesforce Callout Exception -'handshaking failed'

while making http callout from SFDC to External Sys retuns-'Handshaking failed' and in client side, req is failing at blue coat firewall error-'EXCEPTION(ssl_client_cert_untrusted_issuer)' .We gave SFDC self signed cert to client . Do we have to provide CA cert or issue is something else' .

REgards,
Neha
Ashish_SFDCAshish_SFDC
Hi Neha, 


ssl_client_cert_untrusted_issuer
Untrusted SSL Client
Certificate
(HTTP Response Code: 503)
A Web site presents an incorrect or invalid certificate or a configuration error has occurred.

https://bto.bluecoat.com/sgos/cacheflow/CF_webguide/Content/Policy/Built-in-Exceptions-List.htm


It looks like the client certificate you receive does not have the expected properties. Specifically, it looks like it's subject canonical name field isn't matching the expected "proxy.salesforce.com"

In your situation, I would setup a tcpdump on the external interface of your reverse proxy waiting for a connection from 96.43.148.8. I'd then feed the result of that trace into wireshark so that it would parse the SSL handshake and allow you to grab the subject.cn of the certificate used for SSL client authentication.

That should give you a good indication of what is failing.

http://serverfault.com/questions/514933/reverse-proxy-will-not-authenticate-sslrequire-for-salesforce-com


What SSL certificates does Salesforce support for Delegated Authentication SSO, Apex callouts, Outbound Messaging, and other callouts?

https://help.salesforce.com/apex/HTViewSolution?urlname=What-SSL-certificates-does-Salesforce-support-for-Delegated-Authentication-SSO-Apex-callouts-Outbound-Messaging-and-other-callouts-1327366399006&language=en_US


When 2-way SSL/mutual authentication is configured on a target endpoint, if the target server does not advertise the CA signed certificates it accepts, Salesforce will not send the configured custom certificate when making HTTPS callouts. The target endpoint needs to tell Salesforce.com in the HTTPS ServerHello message the list of accepted certificate subject distinguished names (DN) that it accepts. If the provided certificate is signed by at least one of those DNs or if it has a certificate chain where at least one of those certificates was signed by a cert identified by the DNs that the server advertised, then Salesforce.com will send the client certificate.


https://help.salesforce.com/apex/HTViewSolution?urlname=In-2-way-SSL-when-making-HTTPS-callouts-will-Salesforce-send-the-client-certificate-if-my-server-does-not-advertise-any-CA-names&language=en_US


Regards,
Ashish